Cross site lab #4495

igennova · 2025-08-16T11:57:45Z

Command to run 
python manage.py create_xss_tasks

Summary by CodeRabbit

New Features
- Added an XSS lab pre-populated with eight ready-to-use tasks (theory MCQs and simulations).
- Task view now shows lab-specific payload prompts/placeholders for XSS and SQLi, with a generic fallback.
Style
- Removed Previous/Next navigation links from the task page.
- Minor comment and documentation cleanups in backend/notification code (no runtime behavior changes).

coderabbitai · 2025-08-16T11:57:54Z

Walkthrough

Adds a Django management command to seed eight Cross-Site Scripting (XSS) lab tasks, updates the task detail template to render lab-specific simulation payload inputs (including XSS), removes the Previous/Next navigation block from the template, and removes a few non-functional comments.

Changes

Cohort / File(s)	Summary
XSS lab seeding command `website/management/commands/create_xss_tasks.py`	New Django management command that finds the "Cross-Site Scripting (XSS)" lab, iterates eight predefined tasks, uses `get_or_create` for `Task` and `update_or_create` for `TaskContent` (theory/MCQ or simulation), logs per-task outcomes, and calls `lab.update_total_tasks()`.
Task detail template conditional payload UI `website/templates/task_detail.html`	Replaces a single simulation payload textarea with lab-based conditional inputs (SQL Injection, Cross-Site Scripting (XSS), or generic), adds lab-specific labels/placeholders for payload textarea, and removes the Previous/Next navigation links leaving an empty container.
Minor cosmetic edits `blt/mail.py`, `website/models.py`, `website/management/commands/create_sql_injection_tasks.py`, `website/management/commands/create_csrf_tasks.py`	Removed inline/comment lines only; no behavioral or control-flow changes.

Sequence Diagram(s)

sequenceDiagram
  actor Admin
  participant CLI as manage.py
  participant Command as create_xss_tasks.py
  participant ORM as Django ORM
  participant DB as Database
  Admin->>CLI: python manage.py create_xss_tasks
  CLI->>Command: run handle()
  Command->>ORM: get Lab(name="Cross-Site Scripting (XSS)")
  ORM->>DB: SELECT lab
  DB-->>ORM: Lab instance or None
  alt Lab not found
    Command-->>Admin: print error and exit
  else Lab found
    loop for each predefined task
      Command->>ORM: get_or_create Task(lab,name,order)
      ORM->>DB: SELECT/INSERT task
      ORM-->>Command: Task instance
      Command->>ORM: update_or_create TaskContent by task
      ORM->>DB: SELECT/UPDATE/INSERT content
      ORM-->>Command: TaskContent instance
      Command-->>Admin: print status
    end
    Command->>ORM: lab.update_total_tasks()
    ORM->>DB: UPDATE lab.total_tasks
    DB-->>ORM: OK
    Command-->>Admin: print final task count
  end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Seed Cross-Site Scripting lab with tasks (#4494)	✅
Make task UI context-aware for XSS (#4494)	✅

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Removal of Previous/Next navigation (`website/templates/task_detail.html`)	Navigation links removed; this UI removal is not required by the seeding or payload-context objectives in #4494.

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 4d16427 and ec0a1b4.

📒 Files selected for processing (1)

website/management/commands/create_csrf_tasks.py (1 hunks)

✅ Files skipped from review due to trivial changes (1)

website/management/commands/create_csrf_tasks.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Run Tests
GitHub Check: docker-test

✨ Finishing Touches

📝 Generate Docstrings

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai

Actionable comments posted: 6

🧹 Nitpick comments (3)

website/templates/task_detail.html (2)

126-147: Decouple UI logic from lab.name; key off simulation type instead

String-matching on lab.name is brittle (renames, i18n). Prefer using content.simulation_config.type to drive the XSS payload prompt, with SQL Injection as a fallback.

Apply this diff to make the prompt resilient to lab renames:

-        {% if lab.name == "SQL Injection" %}
-            <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your SQL injection payload:</label>
-            <textarea id="payload"
-                      name="payload"
-                      rows="4"
-                      class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
-                      placeholder="Enter your SQL injection payload here..."></textarea>
-        {% elif lab.name == "Cross-Site Scripting (XSS)" %}
-            <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your XSS payload:</label>
-            <textarea id="payload"
-                      name="payload"
-                      rows="4"
-                      class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
-                      placeholder="Enter your XSS payload here... (e.g., &lt;script&gt;alert('XSS')&lt;/script&gt;)"></textarea>
-        {% else %}
-            <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your payload:</label>
-            <textarea id="payload"
-                      name="payload"
-                      rows="4"
-                      class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
-                      placeholder="Enter your payload here..."></textarea>
-        {% endif %}
+        {% with sim_type=content.simulation_config.type %}
+          {% if sim_type == 'reflected_xss' or sim_type == 'stored_xss' or sim_type == 'dom_xss' or sim_type == 'filter_bypass' or sim_type == 'cookie_theft' %}
+              <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your XSS payload:</label>
+              <textarea id="payload"
+                        name="payload"
+                        rows="4"
+                        class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
+                        placeholder="Enter your XSS payload here... (e.g., &lt;script&gt;alert('XSS')&lt;/script&gt;)"></textarea>
+          {% elif lab.name == "SQL Injection" %}
+              <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your SQL injection payload:</label>
+              <textarea id="payload"
+                        name="payload"
+                        rows="4"
+                        class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
+                        placeholder="Enter your SQL injection payload here..."></textarea>
+          {% else %}
+              <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your payload:</label>
+              <textarea id="payload"
+                        name="payload"
+                        rows="4"
+                        class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
+                        placeholder="Enter your payload here..."></textarea>
+          {% endif %}
+        {% endwith %}

169-169: Remove empty navigation container

This empty div renders extra spacing but no content. Either restore the previous/next links or remove it.

Apply this diff to remove the empty container:

-                <div class="mt-8 flex justify-between"></div>

website/management/commands/create_xss_tasks.py (1)

255-265: Prefer update_or_create keyed by (lab, name) to avoid accidental duplicates when order changes

Keying get_or_create by both name and order makes the seed non-idempotent if you reorder tasks later; it can create a second row and potentially violate the unique (lab, order) constraint.

-            task, created = Tasks.objects.get_or_create(
-                lab=xss_lab,
-                name=task_data["name"],
-                order=task_data["order"],
-                defaults={
-                    "description": task_data["description"],
-                    "task_type": task_data["task_type"],
-                    "is_active": True,
-                },
-            )
+            task, created = Tasks.objects.update_or_create(
+                lab=xss_lab,
+                name=task_data["name"],
+                defaults={
+                    "order": task_data["order"],
+                    "description": task_data["description"],
+                    "task_type": task_data["task_type"],
+                    "is_active": True,
+                },
+            )

Note: if the new order collides with an existing task’s order, you’ll still hit the (lab, order) uniqueness constraint—this refactor avoids silent duplication by name, not conflicts by order.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between a78bedf and c203f95.

📒 Files selected for processing (2)

website/management/commands/create_xss_tasks.py (1 hunks)
website/templates/task_detail.html (2 hunks)

🧰 Additional context used

🧬 Code Graph Analysis (1)

website/management/commands/create_xss_tasks.py (1)

website/models.py (4)

Labs (2458-2483)

TaskContent (2510-2526)

Tasks (2486-2507)

update_total_tasks (2468-2475)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Run Tests
GitHub Check: docker-test

🔇 Additional comments (1)

website/management/commands/create_xss_tasks.py (1)

51-57: Confirm MCQ option format matches template’s expectation

The template sets radio values via value="{{ option.0 }}", which for a string uses its first character. Your options are like "A) …". That works, but it’s easy to break if formatting changes.

Please verify that elsewhere in the app (other labs) options follow the same convention. If not, consider storing options as pairs so values are explicit, e.g., ["A", "Reflected XSS"], and adjust the template accordingly.

website/management/commands/create_xss_tasks.py

…e-lab

coderabbitai

Actionable comments posted: 0

🔭 Outside diff range comments (1)

website/templates/task_detail.html (1)

126-157: Fix unreachable CSRF branch and simplify conditional rendering

The nested condition inside the "SQL Injection" branch makes the XSS/CSRF label/placeholder paths unreachable there. As a result, for "Cross-Site Request Forgery" labs, the top-level else branch is taken and the CSRF-specific prompt is never shown (you get the generic one). Flatten the branching and add an explicit CSRF branch at the top level.

Apply this diff to replace the whole block with a flat, readable chain:

-                                            {% if lab.name == "SQL Injection" %}
-                                                <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">
-                                                {% if lab.name == "SQL Injection" %}
-                                                    Enter your SQL injection payload:
-                                                {% elif lab.name == "Cross-Site Scripting (XSS)" %}
-                                                    Enter your XSS payload:
-                                                {% elif lab.name == "Cross-Site Request Forgery" %}
-                                                    Enter your CSRF attack code:
-                                                {% else %}
-                                                    Enter your payload:
-                                                {% endif %}
-                                            </label>
-                                                <textarea id="payload"
-                                                          name="payload"
-                                                          rows="4"
-                                                          class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
-                                                          placeholder="{% if lab.name == 'SQL Injection' %}Enter your SQL injection payload here...{% elif lab.name == 'Cross-Site Scripting (XSS)' %}Enter your XSS payload here...{% elif lab.name == 'Cross-Site Request Forgery' %}Enter your CSRF attack code here...{% else %}Enter your payload here...{% endif %}"></textarea>
-                                            {% elif lab.name == "Cross-Site Scripting (XSS)" %}
-                                                <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your XSS payload:</label>
-                                                <textarea id="payload"
-                                                          name="payload"
-                                                          rows="4"
-                                                          class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
-                                                          placeholder="Enter your XSS payload here... (e.g., &lt;script&gt;alert('XSS')&lt;/script&gt;)"></textarea>
-                                            {% else %}
-                                                <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your payload:</label>
-                                                <textarea id="payload"
-                                                          name="payload"
-                                                          rows="4"
-                                                          class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3"
-                                                          placeholder="Enter your payload here..."></textarea>
-                                            {% endif %}
+                                            {% if lab.name == "SQL Injection" %}
+                                                <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your SQL injection payload:</label>
+                                                <textarea id="payload" name="payload" rows="4" class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3" placeholder="Enter your SQL injection payload here..."></textarea>
+                                            {% elif lab.name == "Cross-Site Scripting (XSS)" %}
+                                                <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your XSS payload:</label>
+                                                <textarea id="payload" name="payload" rows="4" class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3" placeholder="Enter your XSS payload here... (e.g., &lt;script&gt;alert('XSS')&lt;/script&gt;)"></textarea>
+                                            {% elif lab.name == "Cross-Site Request Forgery" %}
+                                                <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your CSRF attack code:</label>
+                                                <textarea id="payload" name="payload" rows="4" class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3" placeholder="Enter your CSRF attack code here..."></textarea>
+                                            {% else %}
+                                                <label for="payload" class="block text-sm font-medium text-gray-700 mb-2">Enter your payload:</label>
+                                                <textarea id="payload" name="payload" rows="4" class="shadow-sm focus:ring-[#e74c3c] focus:border-[#e74c3c] mt-1 block w-full sm:text-sm border border-gray-300 rounded-md p-3" placeholder="Enter your payload here..."></textarea>
+                                            {% endif %}

Additionally, string-matching on lab.name is brittle (renames, i18n). Prefer a stable slug/type supplied by the backend, or pass label/placeholder from content.simulation_config.

🧹 Nitpick comments (2)

website/templates/task_detail.html (2)
179-179: Remove leftover empty container after removing navigation

This empty flex container serves no purpose and adds unnecessary DOM.
-                <div class="mt-8 flex justify-between"></div>
+                {# navigation removed intentionally #}
126-157: Avoid hardcoding lab.name for branching in the template

We verified that the only identifiers on Labs are the name field and there is no slug. While the three names (“SQL Injection”, “Cross-Site Scripting (XSS)”, “Cross-Site Request Forgery”) are seeded in create_initial_labs.py and used in your management commands, branching on display names is brittle—any rename or typo will silently fall back to the generic branch.

Consider one of the following refactors:

Add a slug = models.SlugField(unique=True) to the Labs model, backfill existing records, and switch your template to if lab.slug == "sql-injection" (and likewise for the others).

Or, encapsulate the label/placeholder logic in your view (or a small template tag) and pass explicit strings into the context, eliminating in-template name comparisons.

Locations to update:

website/models.py (add slug to Labs)

website/management/commands/create_initial_labs.py (populate the new slug)

website/templates/task_detail.html (branch on slug or use injected labels)

[optional_refactors_recommended]

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Knowledge Base: Disabled due to Reviews > Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between c7063a4 and 49e7c33.

📒 Files selected for processing (4)

website/management/commands/create_csrf_tasks.py (1 hunks)
website/management/commands/create_sql_injection_tasks.py (0 hunks)
website/models.py (0 hunks)
website/templates/task_detail.html (3 hunks)

💤 Files with no reviewable changes (2)

website/models.py
website/management/commands/create_sql_injection_tasks.py

✅ Files skipped from review due to trivial changes (1)

website/management/commands/create_csrf_tasks.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Run Tests
GitHub Check: docker-test

igennova added 2 commits August 16, 2025 17:15

done

bec3486

done

c203f95

coderabbitai bot requested changes Aug 16, 2025

View reviewed changes

changes

33c3cf5

coderabbitai bot previously approved these changes Aug 16, 2025

View reviewed changes

igennova added 3 commits August 16, 2025 19:02

done

a5c03a4

done

7b8320a

for_test

8eb4447

igennova dismissed coderabbitai[bot]’s stale review via 8eb4447 August 16, 2025 13:43

coderabbitai bot previously approved these changes Aug 16, 2025

View reviewed changes

suggested_changes

c7063a4

igennova dismissed coderabbitai[bot]’s stale review via c7063a4 August 16, 2025 14:03

coderabbitai bot previously approved these changes Aug 16, 2025

View reviewed changes

DonnieBLT previously approved these changes Aug 16, 2025

View reviewed changes

DonnieBLT added this pull request to the merge queue Aug 16, 2025

github-merge-queue bot removed this pull request from the merge queue due to a conflict with the base branch Aug 16, 2025

Merge branch 'main' of https://github.com/igennova/BLT into Cross-sit…

49e7c33

…e-lab

igennova dismissed stale reviews from DonnieBLT and coderabbitai[bot] via 49e7c33 August 16, 2025 17:04

pre_commit

4d16427

coderabbitai bot reviewed Aug 16, 2025

View reviewed changes

coderabbitai bot previously approved these changes Aug 16, 2025

View reviewed changes

done

ec0a1b4

igennova dismissed coderabbitai[bot]’s stale review via ec0a1b4 August 16, 2025 17:13

coderabbitai bot approved these changes Aug 16, 2025

View reviewed changes

igennova requested a review from DonnieBLT August 16, 2025 17:34

Merge branch 'main' into Cross-site-lab

f920515

DonnieBLT approved these changes Aug 21, 2025

View reviewed changes

DonnieBLT enabled auto-merge August 21, 2025 18:33

DonnieBLT added this pull request to the merge queue Aug 21, 2025

Merged via the queue into OWASP-BLT:main with commit 061eb94 Aug 21, 2025
12 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Cross site lab #4495

Cross site lab #4495

Uh oh!

igennova commented Aug 16, 2025 •

edited by coderabbitai bot

Loading

Uh oh!

coderabbitai bot commented Aug 16, 2025 •

edited

Loading

Chat

Support

CodeRabbit Commands (Invoked using PR/Issue comments)

Other keywords and placeholders

CodeRabbit Configuration File (`.coderabbit.yaml`)

Status, Documentation and Community

Uh oh!

coderabbitai bot left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Cross site lab #4495

Cross site lab #4495

Uh oh!

Conversation

igennova commented Aug 16, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Aug 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Assessment against linked issues

Assessment against linked issues: Out-of-scope changes

Chat

Support

CodeRabbit Commands (Invoked using PR/Issue comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Status, Documentation and Community

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

igennova commented Aug 16, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Aug 16, 2025 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)